SingPass should be secured swiftly

I was on leave last week and watched from the sidelines as I read that more than 1,500 SingPass accounts may have been breached. SingPass is Singapore's universal online access to e-government services, which include those for filing income tax returns and checking CPF account balances.

I decided to do some checking on my own. Three sets of numbers, which kept appearing in news reports, seemed confusing to me.

The first number concerned the 1,560 accounts which the Infocomm Development Authority (IDA) said "were potentially accessed without the users' permission".

Of these, 419 had their passwords reset and, therefore, stood an even higher chance of having had their accounts hacked into.

Then, there were the 11 (from the group of 419) who complained to Crimson Logic, the company which operates the SingPass system on behalf of the Government, that they had received letters informing them they had reset their passwords, even though they had not done so.

I did some digging and figured out what I thought the IDA was saying.

To understand the situation better, it is first necessary to understand how SingPass works. When SingPass was launched in 2003, users who forgot their passwords had to do one of two things to reset their passwords.

The first was to submit an online request to have the password reset. Within a week or so, the system would send a letter by post to the user, to inform him of his new password.

The second method was to visit, in person, one of the several SingPass counters in some community centres in Singapore to get an instant password reset.

Neither was convenient. So, in 2007, a third option was added - to request for an immediate online password reset.

To do this, a user has to first activate the reset feature by entering his mobile phone number. This is necessary so that when he actually does request for a password reset, a one-time PIN would be sent to the pre-registered mobile number.

He would then have to key in this PIN into the SingPass website before he can reset his password online.

This "second-factor" authentication was designed to make it harder for hackers to breach SingPass accounts, as hackers would need to have the account holder's mobile phone on hand, in addition to his ID and password details.

The current situation started with the 11 users who received the password reset letters and notified Crimson Logic.

Crimson Logic conducted checks and found that there was a large group of SingPass accounts - 1,560 to be exact - which had an unusually high ratio of connection to a limited pool of mobile phone numbers.

It is not uncommon for one mobile number to be connected to multiple SingPass accounts, as sometimes, the most tech-savvy member of a household would sign up for the password-reset feature for the entire family.

The IDA would not say how high the number of connections had to be before it registered as an anomaly, but in this case, too many of the 1,560 accounts were linked to too few mobile phone numbers. This made the accounts suspect.